3/10/2018 


Threat Brief: What’s Driving the Shift to Cryptocurrency Mining Malware? 


Blog Home (https://researchcenter.paloaltonetworks.com/) > Threat Brief (https://researchcenter.paloaltonetworks.com/threat-brief/) > Threat Brief: 
What’s Driving the Shift to Cryptocurrency Mining Malware? 


Threat Brief: What’s Driving the Shift to Cryptocurrency 
Mining Malware? 



By Ryan Olson (https://researchcenter.paloaltonetworks.com/author/ryan-olson/) 

March 6, 2018 at 5:00 AM 

Category: Threat Brief (https://researchcenter.paloaltonetworks.com/threat-brief/), Unit 42 (https://researchcenter.paloaltonetworks.com/unit42/) 

Tags: Bitcoin (https://researchcenter.paloaltonetworks.com/tag/bitcoin/), Cryptocurrency (https://researchcenter.paloaltonetworks.com/tag/cryptocurrency/), 
mining (https://researchcenter.paloaltonetworks.com/tag/mining/), Monero (https://researchcenter.paloaltonetworks.com/tag/monero/) 

<8> 4,502 [6(3) 

(https://twitter.com/home?status=https%3A%2F%2Fresearchcenter.paloaltonetworks.com%2F2018%2F03%2Fthreat-brief-whats-d riving- 
shift-cryptocurrency-mining- 

malware%2F+Threat+Brief%3A+What%E2%80%99s+Driving+the+Shift+to+Cryptocurrency+Mining+Malware%3F) 
(https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fresearchcenter.paloaltonetworks.com%2F2018%2F03%2Fthreat-brief- 
whats-driving-shift-cryptocurrency-mining-malware%2F) ra (https://www.linkedin.com/shareArticle? 

mini=true&url=https%3A%2F%2Fresearchcenter.paloaltonetworks.com%2F2018%2F03%2Fthreat-brief-whats-driving-shift-cryptocurrency- 

mining- 

malware%2F&title=Threat+Brief%3A+What%E2%80%99s+Driving+the+Shift+to+Cryptocurrency+Mining+Malware%3F&summary=&source=) 
(//www. reddit.com/submit) 


Over the past six months, we’ve seen a major increase in the number of attack campaigns with the ultimate goal of mining cryptocurrency. It’s a 
subject Unit 42 has been tracking in the past year: 

• Large Scale Monero Cryptocurrency Mining Operation using XMRig (https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale- 
monero-cryptocurrency-mining-operation-using-xmrig/) 

• Unauthorized Coin Mining in the Browser (https://researchcenter.paloaltonetworks.com/2017/10/unit42-unauthorized-coin-mining-browser/) 

• Rig EK One Year Later: From Ransomware to Coin Miners and Information Stealers 
(https://researchcenter.paloaltonetworks.com/2018/02/unit42-rig-ek-one-year-later-from-ransomware-to-coin-miners-and-information-stealers/) 

• Monero Miners Continue to Plague Users via Russian BitTorrent Site (https://researchcenter.paloaltonetworks.com/2018/03/unit42-monero- 
miners-continue-plague-users-via-russian-bittorrent-site/) 

So, what is driving a widespread shift from attackers and creating a significant trend in the industry? There are three factors at work: 

• The price of many cryptocurrencies has increased dramatically in the last 12 months, making it more profitable to mine coins compared to 
other criminal business models. 

• The risk of using a compromised PC to mine cryptocurrency is currently much lower than using it for other criminal activities. 

• One particular cryptocurrency, Monero, provides its users with very high privacy and can be mined efficiently on a regular desktop or laptop 
PC. These properties are not true of other cryptocurrencies, like bitcoin. 

To answer the question in more detail, it’s important to put yourself into the criminal’s shoes and consider what alternative routes they have to 
monetize infections. In this brief, we’ll share how this trend came to fruition, why it’s so prevalent, and how security professionals and defenders can 
keep an eye out for this rising type of threat. 


How Attacks Monetize Infections 

While targeted attacks gain the most attention from researchers and media, the majority of malware infections are untargeted and even 
indiscriminate. Instead of seeking out specific targets, many criminals aim to infect as many systems as possible and then turn those infections into 
cash. This has been true for over a decade, although the mechanisms available to criminals have shifted in that time. 

To understand where we are now, it helps to look at how we got here, and to look at the evolution of common cybercriminal activities. 

Back in the early 2000s, some of the earliest “botnet herders” made their income by relaying spam emails through infected computers. Over time, 
that business became less profitable due to anti-spam controls and ISPs preventing infected systems from directly relaying emails. 

In the mid-2000s, criminals made great profits from using Banking Trojans to steal credentials for online banking websites, and subsequently 
draining the accounts’ associated funds. This account takeover activity continues today, but various anti-fraud measures and law enforcement 
actions have made it less profitable and riskier for criminals. 

Another aspect of Banking Trojan infections is that, while the criminal may be infecting hosts indiscriminately, the value of the host greatly depends 
on the individual who owns it, and the criminals’ ability to “cash out” their bank account. Figure 1 is a capture from a book I wrote with some 
colleagues in 2008, “Cyber Fraud: Tactics, Techniques, and Procedures (https://www.crcpress.com/Cyber-Fraud-Tactics-Techniques-and- 


https://researchcenter.paloaltonetworks.com/2018/03/threat-brief-whats-driving-shift-cryptocurrency-mining-malware/ 


1/4 


3/10/2018 


Threat Brief: What’s Driving the Shift to Cryptocurrency Mining Malware? 

Procedures/Howard/p/book/9781420091274).” It shows the price that a criminal enterprise called FRAME DOLLARS was charging to infect 
computers in various countries at that time. 

294 ■ Cyber Fraud: Tactics, Techniques, and Procedures 



mMJSMWMtV*cr 


SIGNUP TODAY! 


HOkC | TUM | MO | MM | ABOUT Ui | MTU 


Figure 8.12 I Frame Dollars last known payout rates. 

Figure 1: Capture from Cyber Fraud: Tactics, Techniques, and Procedures showing prices of host infections by country. 


In 2007, the infection of a system in Australia went for US$0.60, while an infection in Poland was only a fraction of the cost, at US$0,096. The 
difference in price represented the difference in value: criminals were able to make more money through a Banking Trojan account takeover from 
an Australian infection than they could in Poland. This was due to many factors, but chief among them was that criminals were more successful at 
cashing out accounts from Australian infections than they were from systems in other parts of the world. 

As anti-fraud protections evolved, so did the criminals. Fast forward five years to 2013 and the rise of the Ransomware business model 
(https://researchcenter.paloaltonetworks.com/2016/05/unit-42-ransomware-trends/). This new way to generate profit had two major advantages 
over account takeovers: 

• Every system that is infected can be held for ransom, not just those belonging to users who also happen to bank online and have their 
credentials stolen. 

• Payments using cryptocurrency (primarily bitcoin) do not require interacting with banks, decreasing the risk and cost for cybercriminals of 
cashing out. 

Put another way, the ransomware model represented both increased efficiency and decreased risk in monetizing the infection. 

Anyone who’s been paying attention to cybercrime since 2013 is aware of the ransomware surge, infecting systems throughout the world and 
plaguing networks’ administrators. While only a tiny fraction (possibly 1 in 1000) of systems infected with a banking Trojan pay out for attackers, a 
much higher portion of ransomware victims pay to get their files back. While US$300 payments are less than a single account takeover could 
return, ransomware makes greater returns due to the volume and decreased risk in this new business model. Cybercriminals have become good 
business people: they saw the benefits and embraced the change. 


Enter “The Bubble” - Where We Are Now 

In the last two years, but particularly in the last six months, the price of bitcoin and other cryptocurrencies experienced a massive price surge with 
respect to the U.S. dollar and other fiat currencies. Here’s the chart for bitcoin over the last two years, showing a rise of 2,000% to 4,000% in the 
versus the U.S. dollar. 


S20.000.00 



Mar‘16 May'16 Jul‘16 Sep‘16 Nov'16 Jan'17 Mar'17 May‘17 jul'17 Sep'17 Nov'17 Jan'18 


Figure 2: Price of bitcoin in U. S. dollars from CoinMarketCap 


https://researchcenter.paloaltonetworks.com/2018/03/threat-brief-whats-driving-shift-cryptocurrency-mining-malware/ 


2/4 











3/10/2018 


Threat Brief: What’s Driving the Shift to Cryptocurrency Mining Malware? 

While botnets mining cryptocurrency is nothing new (https://www.sciencedaily.com/releases/2014/02/140225101505.htm), the technique was much 
less profitable than using ransomware. In fact, with the rise of specialized bitcoin mining hardware, no regular PC can make any significant amount 
of money for an attacker. 

However, there are many other “crypto coins” in the market today. The one we see mined most by attackers is called Monero. 
(https://getmonero.org/) In contrast to bitcoin, Monero was designed to enable private transactions using a closed ledger, and its mining algorithm is 
still mined effectively by both PC CPUs and GPUs. As the chart below shows, Monero has risen even faster than bitcoin in price in the last two 
years, with more than a 30,000% gain in U.S. dollars. 



..... . .. . , r -L. _ iLii mUiii ii 

May'16 Aug'16 Nov'16 Feb‘17 May ‘17 Aug *17 Nov‘17 Feb‘16 


Figure 3: Price of Monero in U.S. dollars from CoinMarketCap 


A normal PC used to mine Monero can earn around US$0.25 per day at the current prices. That number is small, but it’s important to note that it 
doesn’t matter what country or network a Monero miner is part of: computers in Australia and Poland mine at the same speed. Every infected 
system is a profit-generating resource when mining Monero, and users are much less likely to identify their infection and remove the mining 
program than they would be with ransomware. For context, in January, we found a Monero mining campaign 

(https://researchcenter.paloaltonetworks.com/2018/01/unit42-large-scale-monero-cryptocurrency-mining-operation-using-xmrig/) that infected 
around 15 million systems, largely in the developing world. If these systems remained infected for at least 24 hours each, the attackers could have 
earned well over 3 million U.S. dollars in Monero. 

Additionally, the risk of arrest and conviction is significantly lower than with ransomware, as mining cryptocurrency is less likely to generate reports 
to law enforcement than a data-destroying ransomware infection. 


What’s Next? 

This wave of attacks will continue as long as it maintains a high level of profitability with a low level of risk for cybercriminals. 

For defenders, it’s important to note that the techniques used to infect systems with coin mining malware are the same as they were for 
ransomware. Infections typically begin with emails carrying malicious macro documents, drive-by exploit kits targeting browsers, or direct attacks on 
servers running vulnerable software. There is no single solution to stopping these attacks, but the same technologies and policies you use to 
prevent other malware infections will be effective. 

Across the changing landscape of botnet herders, Banking Trojans, ransomware and coin mining is one constant: the business-savvy drive to 
maximize profit and reduce risk. Using these as our guide, we can make sense of where we are today, how we got here, and be prepared for what 
has yet to develop in the future. 

Here are three things to watch for: 

1. A marked increase in the price of Monero or other cryptocurrencies will draw even more attackers into this business. 

For many users, this could actually be a positive development, as the negative impact of having resources sapped from one’s computer is much 
less than paying a ransom or restoring your system from a backup due to ransomware. Conversely, a crash in the price of cryptocurrencies will 
decrease the profitability and drive criminals back to ransomware. 

2. Listen to your fans or keep an eye on your CPU usage. 

Many users realize their system is infected with coin mining malware when their laptop fans kick into high-speed mode to keep the overtaxed CPU 
cool. Listening to fans won’t work at the enterprise scale, but implementing widespread CPU performance monitoring could be a good way to find 
compromised devices. This will also help you identify the coin mining “insider threat,” as misguided administrators may see their organizations’ 
unused CPU time as a way to generate personal income. 

3. Criminals will find ways to target these attacks. 

Compromising a user’s browser or a regular home PC will net the criminal an average system for mining coins, but higher-end systems will 
generate more income. Attackers will soon begin targeting devices with higher specifications to get more bang for their buck. Gaming PCs with 
high-end GPUs and servers with large numbers of processing cores will be prime targets. 


https://researchcenter.paloaltonetworks.com/2018/03/threat-brief-whats-driving-shift-cryptocurrency-mining-malware/ 


3/4 


3/10/2018 


Threat Brief: What’s Driving the Shift to Cryptocurrency Mining Malware? 


Got something to say? 


Leave a comment... 


____ ___ _ .._ a 

Notify me of followup comments via e-mail 


Name (required) 


Email (required) 


Website 


SUBMIT 


SUBSCRIBE TO NEWSLETTERS 


Email 


SUBSCRIBE 


COMPANY 

Company (https://www.paloaltonetworks.com/company) 

Careers (https://www.paloaltonetworks.com/company/careers) 

Sitemap (https://www.paloaltonetworks.com/sitemap) 

Report a Vulnerability (https://www.paloaltonetworks.com/security-disclosure) 


LEGAL NOTICES 

Privacy Policy (https://www.paloaltonetworks.com/legal-notices/privacy) 
Terms of Use (https://www.paloaltonetworks.com/legal-notices/terms-of-use) 


ACCOUNT 

Manage Subscription (https://www.paloaltonetworks.com/company/subscriptions) 


Q( 


I) 


(https://www.linkedin.com/company/palo-alto-networks) ii (https://www.facebook.com/PaloAltoNetworks/) (https://twitter.com/PaloAltoNtwks) 


(https://ignite.paloaltonetworks.com/usa/? 



Campaignld=7010g000001 IH8U&utm_content=lgnite18USA&utm_medium=390x90banner&utm_source=website) 
© 2016 Palo Alto Networks, Inc. All rights reserved. 


SALES > 888.503.8762 » 


SEE A DEMO » 


TAKE A TEST DRIVE (HTTPV/CONNECT.PALOALTONETWORKS.COM/VIRTUAL-UTD) 


https://researchcenter.paloaltonetworks.com/2018/03/threat-brief-whats-driving-shift-cryptocurrency-mining-malware/ 


4/4 

















